ARI JULIN et al.

Limited Comparison of Evolutionary Power

Reactor Probabilistic Safety Assessments

ARI JULIN

Radiation and Nuclear Safety Authority (STUK)

Helsinki, Finland

Email:

MATTI LEHTO

Radiation and Nuclear Safety Authority (STUK)

Helsinki, Finland

GABRIEL GEORGESCU

Institute of Radiological Protection and Nuclear Safety (IRSN)

Fontenay-aux-Roses, France

SHANE TURNER

Office for Nuclear Regulation (ONR)

Bootle, United Kingdom

Abstract

The paper presents the insights from a limited PSA comparison on four EPR designs: Olkiluoto 3 in Finland, Flamanville 3 in France, UK EPR, and U.S. EPR. The work was done within the Multinational Design Evaluation Programme (MDEP) design specific working group on the EPR. MDEP was established in 2006 as a multinational initiative to develop innovative approaches to leverage the resources and knowledge of the national regulatory authorities. The aim of the PSA comparison was to examine the modeling approaches and outcome of EPR PSAs, and to find the rationale for possible differences. The comparison covered different types of initiators challenging a broad scope of safety functions. The EPR designs chosen for comparison represents various design and licensing stages, as well as levels of detail, which gives the main rationale for the identified differences. The paper also highlights the differences in modeling assumptions, applied reliability data, design solutions, and operational aspects. The insights and lessons learned from the comparison have been used to facilitate the regulatory reviews and assessment of EPR designs and to enhance the quality of EPR PSA models and documentation.

1.  INTRODUCTION

The EPR is an Evolutionary Pressurized Water Reactor (a.k.a. European Pressurized Water Reactor), whose design takes benefit from operating experience especially in France and Germany. Reliable prevention and mitigation of severe accidents have been the main goals in the development of EPR. Probabilistic Safety Assessment (PSA) was initiated from the beginning of the conceptual design stage. PSA has been utilized for design optimization with respect to safety and availability [1].

The following organizations were responsible for the EPR PSA comparison: Radiation and Nuclear Safety Authority of Finland (STUK), Institute of Radiological Protection and Nuclear Safety (IRSN) of France, Office for Nuclear Regulation (ONR) of the United Kingdom, United States Nuclear Regulatory Commission (USNRC) and National Nuclear Safety Authority (NNSA) of China. The work was carried out within the Multinational Design Evaluation Program (MDEP) design specific working group on the Evolutionary Power Reactor (EPRWG). MDEP was established in 2006 as a multinational initiative to develop innovative approaches to leverage the resources and knowledge of the national regulatory authorities. The Organization for Economic Co-Operation and Development (OECD) Nuclear Energy Agency (NEA) facilitates MDEP's activities by acting as technical secretariat for the program.

The PSA comparison was conducted on the following EPR designs: Olkiluoto 3 Nuclear Power Plant (NPP) in Finland (OL3), Flamanville 3 NPP in France (FA3), UK EPR design, U.S. EPR design, and partly also Taishan NPP (China) respectively.

The aim of the comparison was to examine the modeling approaches and outcome of EPR PSAs, and to find the rationale for possible differences, in order to provide support for safety evaluations and PSA reviews in MDEP member countries.

2. Development of EPR PSA

The EPR PSA development was performed in parallel with the early phases of EPR design work. The first Level 1 PSA for internal initiating events was completed at the end of the basic EPR design in 1999. EPR PSAs for OL3 and FA3 NPPs were developed on the basis of the first Level 1 internal events model and documentation. OL3 construction license PSA (2004) has been updated several times in the course of the detailed design process more or less independently from other EPR PSAs. OL3 PSA (2004) was used in the development of U.S. EPR PSA for Design Certification (DC) process in 2007. PSA for UK EPR Generic Design Assessment (GDA) process was at least partially based on the three aforementioned PSAs: OL3 (2004), FA3 (2006) and U.S. EPR (2007). Although EPR PSA developers have been exchanging PSA information and findings, each EPR PSA has been extended and updated in accordance with its own project specific requirements while the licensing and/or the detailed design processes have progressed.

Some PSAs are more or less so called full scope PSAs in terms of the coverage of initiating events i.e. internal IEs, and internal and external hazards are included in the analyses. The others include somewhat limited analysis of hazards, as summarized in Table 1.

TABLE 1. SCOPE OF PSA MODELS

PSA item / FA3 / UK EPR / OL3 / U.S. EPR
(FSAR) / (GDA) / (Oper.License) / (DC)
Level 1 / x / x / x / x
Level 2 / x / x / x / x
Level 3 / simplified / simplified (full scope by HPC) / - / Full scope in support of Environmental Report
Internal Events / x / x / x / x
Internal Hazards / x / at power / x / x
External Hazards / x / limited / x / x
Seismic / simplified / PSA based SMA** / Seismic PSA / PSA based SMA
Fuel Pool Accident / x / x / x / -
LCHF* / x / x / - / -

* Scenarios with Low consequence and high frequency (no core damage)

** Seismic Margin Assessment

3. EPR PSA COMPARISON

3.1. Scope of comparison

Detailed comparison of large and comprehensive PSAs is a very labor intensive job. In order to enable effective use of limited resources and to keep the focus on most important aspects in PSAs, the scope of comparison was limited to the following four initiating events (IEs): medium loss-of-coolant accident (LOCA), loss of offsite power (LOOP), steam generator tube ruptures (SGTR), and loss of cooling chain (LOCC). The selection of IEs was based on two criteria: 1) at least one IE from all main initiator groups i.e. transients, LOCAs, primary-secondary leakages and common cause initiators (CCI), and 2) IEs challenging a broad scope of safety functions. The main focus in comparison was on the IE definition, modeling of accident sequences (i.e., timing, safety functions, success criteria, automatic and manual actions, etc.), minimal cut sets, importance measures, and quantitative results.

The analysis of internal initiating events forms the basis of plant specific PSA. EPR designs included in the comparison represent various stages of the design process, licensing process, as well as level of modeling detail. Therefore internal initiating events PSAs were selected for EPR PSA comparison effort. The source of the background information on the EPR PSAs is summarized in Table 2.

TABLE 2. EPR PSA MODELS AND DOCUMENTATION

EPR design / PSA information source
FA3 / Final Safety Analysis Report (FSAR) (2010)*
UK EPR / GDA step 4 (2011) [2], GDA PCSR (2011) [3]
OL3 / Pre-Operating License Application (pre-OLA, v104, 2010)
U.S. EPR / Design Certification (DC) rev. 5 + PSA (2013)

* Updated in 2015 (next update in 2017)

3.2. Main Results of EPR PSAs

Table 3 presents the results of four different EPR designs’ internal initiating events PSAs for power operating modes. The total core damage frequencies (CDFs) are fairly similar but the risk profiles are not identical. Based on the experience from previous PSA comparisons performed e.g. in France and Finland, it was evident that the comparison should not focus on only those IEs, which CDF differs the most. Even with similar CDFs, significant difference may be identified related to IE frequencies, most important cut sets, modeling details, most important basic events, assumptions etc.

TABLE 3. EPR PSA INTERNAL INITIATING EVENTS CDF (1/YEAR)

IE / DESCRIPTION / FA3 / UK EPRA / OL3 / U.S. EPR
LOOP / Loss of Offsite Power / 1,40E-07 / 2,97E-07 / 1,33E-07 / 1,23E-07
LOCA / Loss of primary coolant accident / 5,70E-08 / 1,06E-07 / 7,08E-08 / 4,48E-08
MLOCA / Medium LOCA / (3,6E-08) / (9,2E-09) / (3,1E-08) / (9,1E-10)
V-LOCA / LOCA leading to containment bypasses / 6,50E-10 / 3,70E-09 / 1,50E-08 / -
Prim-Tr / Primary circuit transients / 2,00E-08 / 5,25E-08 / 1,07E-08 / -
Sec-Tr / Secondary circuit transients / 4,60E-09 / 1,63E-08 / 8,37E-08 / 1,37E-08
Sec. Br. / Secondary circuit breaks / 1,80E-08 / 1,3E-08 / 8,88E-09 / -
SGTR / Steam Generator Tube rupture(s) / 1,10E-08 / 1,02E-08 / 2,21E-08 / 2,63E-08
LOCC / Loss of cooling chain or heat sink / 8,80E-08 / 9,46E-08 / 1,94E-08 / 3,61E-08
Other / Other IEs / 1,38E-07 / 2,58E-08 / 1,21E-07 / 4,91E-08
TOTAL / 4,8E-07 / 6,2E-07 / 4,8E-07 / 2,9E-07

A PSA for a UK EPRTM at Hinkley Point C [4]

4. EPR DESIGN DIFFERENCES

The MDEP EPRWG PSA technical expert subgroup has held joint meetings with EPR vendors exchanging information related to regulatory review findings, modeling details, design differences and potential new design changes. The aim was to find rationale for differences in EPR PSAs, whether their origin is in design, PSA modeling or data.

Reasons for differences in design solutions and modeling of EPR PSAs are among others:

—  Progress of plant design (GDA, DCD, OLA, FSAR…)

—  Project specific customer requirements;

—  Project specific regulations;

—  Project specificrulesand standards;

—  Project/customer database;

—  Project specific site characteristics;

—  Project specific modeling assumptions/approaches of the PSA teams.

Examples of known differences, which are implemented due to regulations, site, operator, industry or project timing (not all of these are directly related to the PSA comparison exercise):

—  All EPRs share the same objective to minimize the release to the environment in case of SGTR. Different SGTR management strategies exist. All EPR have faulty steam generator automatically isolated at the end of partial cooldown. If not, all EPR have manual isolation done around 60 minutes post fault. Specifically for OL3, the automatic signal can be initiated by “activity measurements”.

—  There are some differences in system design, e.g. HVAC systems, extra borating system, fuel pool cooling system, EDG size and cooling, fire zoning design, electrical supply for main steam relief train, and some of the I&C systems.

—  Full rupture (2A LOCA) of reactor coolant systems is not studied as design basis event in all EPR designs.

—  There are differences in reactor coolant system insulation material (mineral vs. glass wool), but this has no impact on the PSA.

—  There are design differences related to severe accident management, for example:

·  Fulfilment of single failure criterion in severe accident management systems is required in OL3.

·  Diversity between severe accident and design basis accident equipment is required in some EPR designs.

·  Redundancy in severe accident depressurization is required in some EPR designs.

·  Severe accident containment filtered venting is required in some EPR designs.

The risk significance of identified design differences has not fully been evaluated. However, the overall insight based on the limited EPR PSA comparison suggests that none of these differences plays very important role in terms of risk.

4. SUMMARY AND CONCLUSIONS

The main comparison work was performed a few years ago and therefore the most recent developments in the EPR design and PSA models are not reflected in the paper.

The first overall insight of the PSA comparison is a global agreement on the most important results (total CDF and main contributions) leading to a reasonable confidence in the PSAs. However the more detailed comparison identified several differences which could generally be explained.

One of the most important reasons for the identified differences is due to the fact that compared EPR PSAs represent various stages of the design process, licensing process, as well as level of modeling detail. Some PSAs are so called full scope PSAs in terms of the coverage of operating modes and initiating events, i.e. internal IEs, and internal and external hazards are included in the analyses. The others include somewhat limited analyses of hazards.

Comparison of the numerical results of different EPR design PSAs is not straightforward. Firstly, each PSA represents various phases of licensing and detailed design processes. Secondly, there are differences in EPR designs, which affect the risk. Thirdly, studying the numerical results alone does not reveal the definitions and assumptions related to the modeling of IE groups and the accident progression.

The following issues and insights were identified:

—  Modeling of digital I&C: the differences in the details and assumptions related to the modeling of I&C systems explain some of the identified differences. The different I&C architecture play also an important role in the difference. In addition, the detailed design of the OL3 I&C system was under development and some changes were foreseen.

—  Modeling of ventilations: modeling of HVAC systems is not at the same level in the different PSAs, although the contribution of HVAC can be significantly different due to site characteristics (tropicalization) and lead to different design choices (e.g. diversification of the safeguard buildings electrical divisions ventilation for OL3).

—  RCP seal LOCA management: at the time of the comparison, the assumptions and the level of detail in the seal LOCA modeling appear as rather different and leads to differences in the results.

—  Pipe ruptures frequencies: regarding the data used for the LOCA frequencies, there is a significant difference between the OL3/FA3 PSAs and the UK/US EPR PSAs. It is not clear which data is the most representative. However, the differences in design should not affect the initiating event data (the basis used to estimate the pipe rupture frequencies are not detailed enough to differentiate between minor design differences). The choice of applicable data may be driven by the licensee, the vendor or in some cases by the regulatory body.

—  Success criteria and supporting (thermal-hydraulic) studies: for example the Steam Generator (SG) success criteria in case of MLOCA or the feed and bleed success criteria are different and can explain different results.

—  Reliability data: certain component data are rather different, although the effect on the results remains limited.

—  Human Reliability analysis (HRA): the human errors probabilities are in some cases quite different, due to different assumptions in modeling and different support calculations concerning the time available for the action.